Transcript Data Mining BS/MS Project

Data Mining BS/MS Project
Anomaly Detection for
Cyber Security
Presentation by Mike Calder
Anomaly Detection
• Used for cyber security
– Detecting threats using network data
– Detecting threats using host-based data
• In some domains, anomalies are detected
so that they can be removed/corrected
• In cyber security, the anomalies are what
present threats that analysts need to find
2
Motivation
• Proactive vs. reactive security
– Taking a proactive approach identifies threats
before they cause damage
– Taking a reactive approach minimizes and
recovers from damage being caused
• If anomalies are detected in real-time,
cyber damage can be minimized/avoided
3
Sample Network-Based Setup
Taken from (Yan, 2013)
These steps combine density-based clustering
with network traffic anomaly detection
4
Example 3-D Resulting Dataset
Taken from (Yan, 2013)
Clusters are shown as different colors in this
visual, anomaly detection identifies the outliers
(axes/instances for this graph are not specified in the paper)
5
Sample Host-Based Setup
Taken from (Stolfo, 2005)
Data is intercepted at kernel level and analyzed
for anomaly detection in a data warehouse
6
Host-Based Results
• The “PAD Detector” in the previous graph
used probabilistic anomaly detection on
the system calls logged by the interceptor
• When attempting to identify “malicious”
processes (programs that make file
accesses they aren’t expected to), PAD
achieved 95% accuracy
– With only a 2% false positive rate
7
References
• X. Yan. “Early Detection of Cyber Security Threats using
Structured Behavior Modeling”. ACM Transactions on
Information and System Security, Vol. V, No. N. 2013.
• K. Ingham. “Comparing Anomaly Detection Techniques
for HTTP”. Proc. 10th International Symposium on
Recent Advances in Intrusion Detection. 2006.
• S. Stolfo. “Anomaly Detection in Computer Security and
an Application to File System Accesses”. Lecture Notes
in Computer Science, Vol. 3488, pp. 14-28. 2005.
8